RSS Feed Subscribe to RSS Feed


Proxies: Forward versus reverse proxy

What is the difference between a forward and reverse proxy?


  • A forward proxy is a client proxy. It manages outgoing traffic. For example, providing content restriction or facilitating anonymity.
  • A reverse proxy is a server proxy. It manages incoming traffic, providing benefits such as load balancing and rate throttling.
  • Both forward and reverse proxies can provide caching benefits.



Let’s start with a non-technical definition of what a proxy is. A proxy could be described as “something that acts as the substitute for another.”
e.g. your manager cannot attend a meeting, so he sends you as his proxy.

In a slightly more technical context, a proxy server acts as a substitute, or intermediary, for another server e.g., a proxy server may process requests from clients seeking resources from other servers.

Most discussion of proxies refers to a “web proxy”, that is, a proxy server dealing with web content and requests. And most discussions of web proxies refer to a “forward proxy”.

Forward proxy

A “forward proxy” retrieves data from another server on behalf of the original requester.

Why would you use a forward proxy?

1) Manage how your infrastructure accesses the web

A forward proxy can be a tool to manage how your infrastructure accesses the web, acting as a gatekeeper between client browsers on your local network and the web sites they are accessing.

Example functions of forward proxies

  • Cache, so that a frequently access resource is cached avoiding external network calls everytime, improving performance and reducing bandwidth.
  • Security – safeguard the client from accessing dangerous resources (e.g. block or conceal the internal clients identity from the external network.

2) Facilitate blocked communication

Imagine you have ClientFoo, a ProxyBar and a ServerBaz.
ClientFoo wants to connect to, or pull resources from, ServerBaz
Why wouldn’t ClientFoo connect directly to ServerBaz?

a) Client side block. The administrator of ClientFoo says you cannot connect to ServerBaz e.g. your company administrator says you cannot connect to facebook

b) Server side block. ServerBaz has blocked access from ClientFoo. e.g. The administrator of ServerBaz thinks ClientFoo is trying to hack it.

In any of these cases, a (forward) proxy server may help, allowing the client to pull resources from server without going to it directly.

Instead of ClientFoo -> ServerBaz, we use ClientFoo ->ProxyBar -> ServerBaz

Note however that from an information security perspective, unauthenticated/unrestricted reverse proxies in your environment can create massive backdoors. (Thanks to @emresaglam for this call out).


Example forward proxies

  • Apache Traffic Service (can act as both forward and reverse)
  • Squid (can act as both forward and reverse)

Reverse proxy

A reverse proxy appears to the client just like an ordinary server, but it acts on behalf of the servers being connected to.

Example functions of reverse proxies

  • Load balancer
  • Cache e.g. CDNs
  • Security e.g. rate throttling or reject suspicious requests
  • SSL termination

Example reverse proxies

  • Nginx
  • Varnish
  • Apache Traffic Service (can act as both forward and reverse)
  • Squid (can act as both forward and reverse)


Tags: , , ,

Leave a Reply